Legislation would give DHS some power over private networks

A new House bill proposes to give DHS some responsibility for ensuring that …

A new bill making the rounds on Capitol Hill will give the Department of Homeland Security some amount of regulatory control over private networks. HR 6423, "The Homeland Security Cyber and Physical Infrastructure Protection Act of 2010," will empower DHS to set cybersecurity standards for some private networks that are considered critical infrastructure.

Among other things, the bill's sponsors claim that HR 6423 is aimed at the following goals:

Creating a new Cybersecurity Compliance Division to oversee the establishment of performance-based standards that reflect the risks particular to the .gov domain and critical infrastructure networks.

Requiring DHS to work with network operators, to develop tailored security plans that meet risk-based, performance-based standards, similar to the current chemical security law.

That the federal government wants to at least look like it's making an effort to secure critical infrastructure is no surprise, given how deeply the Stuxnet worm has changed the security game. Allegedly intended for Iran's hidden nuclear program, the worm's existence has massive implications for the security of all manner of privately owned networks that we rely on for basic services. Utilities, telecom, and finance are three key areas that DHS considers vulnerable.

It's not surprising that the Obama administration's Democratic allies in the House are taking this approach to critical infrastructure, given all the talk about deeper public/private cybersecurity collaboration in the president's cybersecurity plan, unveiled earlier this year.

Utility companies, with their local monopolies, may feel that they can afford to skimp on security, and so they may benefit from greater oversight. But it's hard to imagine that many of the other private sector entities that would face new DHS oversight will be any more incentivized than they already are to keep bad actors from bringing down their systems. The idea that DHS will have something to teach a major national bank about keeping its networks from being taken out by a cyberattack seems tough to imagine..

Will the threat of fines from DHS really make them work harder than the threat of being put out of business by a cyberattack?